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Abstract. Previously, the author has developed a framework within which to 
quantify and compare the resources consumed during computational — especially 
unconventional computational — processes (adding to the familiar resources of 
run-time and memory space such non-standard resources as precision and 
energy); it is natural and beneficial in this framework to employ various 
complexity-theoretic tools and techniques. Here, we seek an analogous treat- 
ment not of computational processes but of cryptographic protocols and similar, 
so as to be able to apply the existing arsenal of complexity-theoretic methods 
in new ways, in the derivation and verification of protocols in a wider, crypto- 
graphic context. Accordingly, we advocate a framework in which one may view 
as resources the costs — which may be related to computation, communication, 
information (including side-channel information) or availability of primitives, 
for example — incurred when executing cryptographic protocols, coin-tossing 
schemes, etc. The ultimate aim is to formulate as a resource, and be able to 
analyse complexity-theoretically, the security of these protocols and schemes. 



1. Introduction 

We begin by outlining in Sect. the notion of resource as already used in a 



computational context, and by motivating in Sect. 1.2 extension of the notion to 
a cryptographic setting. This leads us to advocate in Sect. [2] a resource-centric 
framework in which to derive and analyse cryptographic protocols. 

1.1. Background. 

1.1.1. Computation. For present purposes, one may view computation as the con- 
version by some machine, device or system (the computer) of an input value into 
an output value. The details of the computer and its implementation, and even 
of the model of computation (e.g., Turing machine, analogue system or quantum 
computer) to which it conforms, are unimportant; sufficient is that the computer 
have provision for accepting an input value, performing some form of processing, 
and supplying an output value. These three stages together can be viewed as the 
evaluation of a function^ (that which is computed) at a given value (the input value) 
of the function's argument. 

1.1.2. Complexity. Of course, for a computer to be of practical use, it should be 
in some sense efficient. Receiving from the computer a correct output value is not 
in itself sufficient if, for example, the value is not supplied in reasonable time: a 
computation that, between input and output, sees the age of the universe elapse is 
of no real- world use. 
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x To some input values there may in fact correspond several potential output values, whence 
not a function but rather a multifunction is computed. 
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One formalizes such ideas of efficiency using computational complexity theory, 
wherein the resources consumed during, or required for, computation are quantified. 
The most common form of complexity analysis is measurement of the time that 
elapses during a computation. In the case of a Turing machine, for example, this 
quantity is the number of time-steps that elapse; in that of a physical system such 
as an analogue or optical computer, it is the physical time (in seconds, say) between 
provision of an input value and receipt of an output value. 

Alongside time, one may measure the consumption during computation of space. 
For a Turing machine, this is defined to be the number of (distinct) tape-cells to 
which the machine writes during the computation; for a physical (e.g., analogue 
or optical) system, this is rather the physical volum^] occupied by the apparatus 
(including any storage space that may be required during computation). 

Time and space, then, are examples of computational resources. These are com- 
modities consumed in some quantity during the computation, or otherwise required 
in some quantity for the computation to succeed. We formalize these as functions 
that map input values to the corresponding required amounts of resource, which 
we take to be natural numbers, rounding or similar when necessary; for example, 
a Turing machine M has time and space resource functions Tm and Sm respec- 
tively (or simply T and S when M is understood) where T (x) is the number of 
time-steps that elapse, and S (x) the number of tape-cells to which are written, as 
M computes given input x (in fact, when the computers under consideration are 
Turing machines, time and space are up to variation the only computational re- 
sources; unconventional, non- Turing systems, on the other hand, may well consume 
unconventional resources, as can be seen below). 

As is to be expected, such quantities of required resource often depend upon the 
siz^Jof the input value from which the computation begins: if one wishes to com- 
pute with larger and larger values, then it may well be that the system will require 
more and more time to perform the computation, and more and more memory space 
in which to store the intermediate values with which it works. From computational 
resources, then, one may derive corresponding complexity functions — these are re- 
source consumption viewed as functions of input size. Broadly, whereas a resource 
function A maps input values x to the corresponding required, natural-number 
amounts of resource, the associated complexity function A* maps input sizes n to 
the corresponding maximum required amounts of resource: 

(1) A* (n) :=sup{A(x) | \x\ = n} . 

These are the functions that are spoken of in complexity theory as being logarith- 
mic, polynomial, exponential, etc., and they indicate something of the efficiency 
of computing systems which in turn indicates something of the difficulty of the 
problems that the systems solve. 

2 More precisely, one measures the minimal volume of a cuboid bounding the apparatus; this is a 
more natural and insightful choice than the volume of the computer itself if, for example, the form 
of the computer resembles a space-filling curve, occupying little actual volume but nonetheless 
requiring a large contiguous space. 

3 The appropriate notion of size here depends upon context. A very frequently encountered 
example sees the input value take the form of a natural number k presented in binary notation, in 
which case the appropriate definition of the size \k\ is the number of bits in k, or more typically 
the approximation log 2 (k) thereof. See for example 9 for further discussion. 

4 As a rule of thumb, efficiency is identified with resource consumption that grows no more 
quickly than polynomially in the size of the input value. 
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We mention above the standard resources of space and time. We claim now 
(and defer to [4 detail and discussion beyond the comments of the following para- 
graphs) that, when dealing with 'standard', digital computers (Turing machines, for 
example), consideration of no other resources than these two is necessary. Indeed, 
the complexity classes of standard complexity theory — some of the more commonly 
encountered being P, NP, coNP, PH, PSPACE, EXP, AC , NC, L, P/poly, BPP, BQP 
and PP — are defined in terms of time and/or space, but of no other resources^] 

One may argue, contrarily to this claim, that certain of these standard complexity 
classes are in fact defined in terms of resources other than time and space. For 
example, NP is defined with reference to non- determinism, and NC with reference 
to parallelism; non-determinism and parallelism, it can be argued, are resources 
in the sense that their use apparently confers computational advantage. However, 
they are not resources in the same sense as, say, time and space: they are not 
commodity resources (see below and [5 ). Each of non-determinism and parallelism 
is either permitted by a given computational model, or it is not; whether it is 
depends solely upon the choice of computational model, and in particular not upon 
the choice of input value, and so no complexity functions associated with these two 
'resources' arise in the same way (i.e., as defined by 0) as that in which time and 
space complexity arise. 

The commodity resources (e.g., time but not non-determinism) on which we 
focus in Sect. are exactly the resources suitable for specifying the boundaries 
of complexity classes: whereas NP is defined with reference to non-determinism, 
for example, this is only in the capacity of establishing what is admitted as a 
computer (namely, a non-deterministic Turing machine), rather than how much of 
some commodity the computer is allowed to consume during computation; time, on 
the other hand, bounds NP — one is allowed polynomial time and no more — , and 
thus describes the class's frontier. 

We reiterate that, when one considers only standard computers, there are but 
two applicable commodity resources: time and space. However, there exist also 
non-standard computers — quantum, chemical and optical systems, for example — , 
which may well consume correspondingly non-standard resources. We mention 
now an important such resource, precision, from the author's previous work (see, 
for example, [4] for detail further than that given below). 

1.1.3. Precision. Standard devices such as Turing machines, finite-state automata 
and real-life digital computers operate with discrete (input, intermediate and out- 
put) values such as natural numbers or bits. 

The very definition [11] of a Turing machine gives that one can discern which 
symbol is stored at a given tape location, and which state the machine occupies: 
the Turing machine never presents the difficulty of having to resolve, say, an am- 
biguously written symbol that could be either a '0' or a '1'. That this is so arises 
from the formalization of the respective collections of states and symbols as (finite) 
sets, which do not, of course, admit repetition; the states, and similarly the sym- 
bols, are mathematically distinct elements, with no structure thereamongst based 
upon proximity or similarity. 

5 The classes listed here are all in the 'Petting Zoo' section of Scott Aaronson's Complexity Zoo 
PQ, and as such are amongst purportedly the most important (the most referenced or fundamental, 
say) classes. Neither are the classes that are in the Petting Zoo but not listed here denned in 
terms of resources other than time and space. 



4 



ED BLAKEY 



Furthermore, that the values accepted, processed and supplied by a computing 
system are discrete is a property satisfied not only by the abstract Turing ma- 
chine, but also by the real-world digital computer. Physical implementation sees 
the abstract Os and Is realized, for example, as potential differences of and 5 volts 
respectively; thus, the design of digital computers sacrifices the possibility of simul- 
taneously conveying many bits over a single physical connection (e.g., by utilizing 
potential differences taken from a continuous range), but in so sacrificing maintains 
easily distinguishable values: the relatively undemanding requirement of being able 
to discern potential difference to within 2-5 volts guarantees that values of and 
5 volts are distinguishable, whence the intended bit is correctly retrieved. 

However, this discrete nature is not shared by all computers. We give three 
examples. 

• Consider first an optical computer, to which is conveyed an input value 
encoded in the wavelength of a light source (cf. the systems of [3] and 
Sect. 1.1. 4| below); the user's means of supplying to the system the input 



value is, for example, to manipulate a variable resistor that controls the 
availability of energy to the source, and consequently the wavelength of the 
light produced thereby. However, whereas the user has in mind a specific 
input value x with which he wishes to compute, his ability physically to 
manipulate the resistor may well be marred by imprecision; as a result, 
the value actually received by the system may be not x, but rather some 
arbitrary element of [x — e, x + e]. Similarly, it may be that the output value 
is presented by the system encoded in, say, the distance between two points 
of light on a screen; if the user has manually to measure this distance, then 
imprecision will once again corrupt the true value. 

• A similar situation is encountered with analogue computers (see [6] for a 
notable example, and [4] for associated precision-related discussion): if the 
user is required physically to manipulate parameters of the computer (the 
angle of shafts, for example) so as to effect input, and physically to measure 
parameters of the system (dial readings, for example) so as to effect output, 
then imprecision may be introduced as in the preceding example. 

• A further example with broadly the same features concerns the slide rule. 
The user will be able with arbitrary precision neither to line up the two 
scales of the rule nor to read the value that becomes lined up with a certain 
notch. 

Of course, the pattern common to these examples is that the computations' input 
and output values are encoded in the values of physical parameters, such as wave- 
length, distance and angle. The sets of possible values for these parameters are 
continua (specifically, intervals of real numbers) and the physical manipulation 
and measurement of these parameters will be prone to error. 

All is not lost. Sufficiently small imprecisions may be corrigible, and one may in 
fact quantify the precision required (in order that resultant errors can be corrected) 
of the user during input and output — we describe this quantification below. This 



^This is true, at least, under the assumption that the computers operate at a super-quantum 
scale. In cases where this assumption fails, and notably when quantum phenomena are actively 
exploited so as to aid computation, one may encounter different forms of imprecision. It remains, 
however, that precision, whatever exact form it may take, is a computational resource relevant to 
these physical computations. 
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gives rise to a computational resource, precision — a commodity resource in the 



same sense as time and space (recall Sect. 1.1.2). 

Our notion of precision deals specifically with the input and output processes of 
a computation (in particular, precision captures the computer's lack of robustness 
against input/output imprecision). We formalize the relevant aspects of computa- 
tion as follows (and defer further detail to [4]). 

• The computer has a number of physical parameters that effect input and 
output: the user conveys to the system his intended input value by manip- 
ulating the input parameters, and, after the computation has taken place, 
receives the corresponding output value by measuring the output parame- 
ters. Each of the p G N input parameters is modelled as a pair (ij , V* . ) 
(1 < j < p), where ij is an input and V%. the set of values to which ij may 
be set; each output parameter is a pair (o^., V Qk ) (1 < k < q G N), where 

is an output and V Qk is the set of values that may take. 

• Consequently, an input value is an assignment x G Vi 1 x . . . x Vi p of valid 
values to inputs (where input ij is considered to be assigned the value 
7Tj (x) G Vi-)\ an output value, similarly, is an assignment y G V Ql X . . . x V Q 
of valid values to outputs (where output o& is considered as having taken 
the value ir k (y) G V Qk ). 

• The computation relation (denoted '^$', where <1> is the computer in ques- 
tion) relates an input value to all corresponding output values that can re- 
sult (those of which the user seeks one) — this relation is the multifunction 
computed by <£. A deterministic computation, then, has as its computation 
relation a (partial) function that maps each input to its unique output (if 
defined), whereas non-deterministic computations give rise to more general 
relations. 

• There are two important input values that, due to imprecision in the physi- 
cal process of the user's manipulating the input parameters, may well differ 
and that, accordingly, we distinguish: the input value intended by the user, 
and that actually implemented by the user. Though imprecise adjustment 
of the input parameters may well render these values unequal, they are, 
nonetheless, mutually constrained by a relation that depends upon the de- 
tails of implementation of the input parameters. For example, it may be 
that the user wishes to adjust a dial (input z, say) to an angle 6 G V^, 
but is able to guarantee of the angle 0' actually implemented only that 
\0 — 0'\ < Ci, where non- negative, real number e$ depends upon the precise 
implementation details of i and reflects the fidelity with which this input 
accepts its value Q Whilst the intended and implemented input values typ- 
ically differ, then, they are at least related by the input error relation R en 
characterized by the tuple ej := (e^, . . ., e ip ) G W of individual input pa- 
rameters' error terms (which, in turn, depend upon the details of the process 
whereby the user adjusts these parameters): an attempt by the user to set 
the input parameters to the (intended) input value x results with strictly 



That 6' G [0 — 6i,0 -\- 6i] (ei > 0) follows from our implicitly supposing an additive error 
in using i\ the error may instead be multiplicative — in which case we should have rather that 
6' G [0/ei,€i0] (ei > 1) — , or may obey some other relation (nonetheless characterized by real- 
number error term ei) constraining and 6' . 
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positive probability in the parameters' actually receiving (implemented) 
input value x' if and only if x R ei x' . 

• Similarly, there may well be inequality between two important output val- 
ues: the true output value, to which the output parameters are set (dur- 
ing and by the computation), and the measured output value, which is 
the outcome of the user's (typically imprecisely) measuring the true out- 
put value. Each output Ok (more specifically, the imprecision arising from 
measurement of the output's value) is characterized by non-negative, real 
error term e Gfc , just as e^. characterizes ij in the previous bullet point. 
The true and measured output values, though quite possibly different, are 
nonetheless related by the output error relation R eo , characterized by the 
tuple eo := (e Gl , . . ., e Qq ) G R q of individual output parameters' error terms 
(which, in turn, depend upon the details of the process whereby the user 
measures these parameters): an attempt by the user to measure output 
parameters set to the (true) output value y' results with strictly positive 
probability in the (measured) output value y" if and only if y' R eo y" . 

• Let the error of a computer be the concatenation of tuples ej and eo charac- 
terizing the input and output error relations: the error is (e^ , . . ., , e Ql , . . ., e, 

• Crucially, imprecision during input and output notwithstanding, the user 
may still obtain (i.e., measure) the correct answer to the computation. 
For example, if the computation being performed is expected to supply a 
natural- number output value, which is presented as the real- number value 
of some parameter of the system, then, by rounding the real number to 
the nearest integer (so as to convert the measured output value into the 
interpreted output value; we use V to denote this 'interpretation' mapping), 
the user can, granted sufficiently little imprecisior^\ recover the correct 
answer; it is this "sufficiently little imprecision" that we formalize in our 
definition of the computational resource of precision. 

We summarize now the flow of computation in the above bullet points. Without 
imprecision, we should have the ideal situation in which the user supplies (intended) 
input value x to computer <£, and receives (measured) output value y satisfying 
x y. However, imprecision renders the flow as follows: intended input value x 
is conveyed to imprecisely as implemented input value x' (x R ei x'), with which <E> 
computes, producing true output value y' {x 1 y'\ which the user measures im- 
precisely as measured output value y" (y f R eo y"\ which, in turn, the user interprets 
(based, typically, on the expected format of the output value; e.g., by rounding or 
similar) as interpreted output value z := i(y"). 

Intuitively, then, (intended) input value x gives rise with strictly positive prob- 
ability to (interpreted) output value z if and only if there exist input value x' and 
output values y' and y" such that x R ei x' y' R eo y" A z. In this case, we say 
that x (<I>, e) -yields z, denoted x ^$, e z, where e = (ej, eo) G IR p+gf . 

We are now in a position to define precision. 



In this natural-number example, "sufficiently little imprecision" amounts to the net effect of 
input imprecision, of the propagation/amplification thereof during computation, and of output 
imprecision rendering the measured output value distant by no more than 1/2 from some correct 
output value, i.e., an output value related via to the intended input value. 
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Definition 1. Let $ be a computer with input parameters (ii, V^), . . . , (i p , Vi p ) 
and output parameters (o±,V 0l ), • . • , y o J, and let x be an input value for <E>. 

• An error e G M p+gr is precise for x if, for all z such that x ^$, e 2, # 

z (i.e., imprecise though input/output may be, a correct output value is 
nonetheless produced, at least for input x: error e is 'sufficiently small' 
that it is corrected during interpretation). 

• £<$> (x) denotes the set { e G W )+q \ e is precise for x } of errors precise for x. 

• V$ (x) G [0, oo] is the (p + g)-dimensional Lebesgue measure of £ $ (x) (de- 
pending upon p + g, then, this is the length, area, volume or similar of 

(x)). 

• The precision required by $ given x is P$ (x) := |_V^$ ( X )J ^ {oo} 
(where, as usual, 1/0 := oo and l/oo := 0). 

(Subscripts are often omitted when is understood.) 

Intuitively, precision reflects the smallness of the set of errors corrigible by a 
computer, or, equivalently, the intricacy required (so as to achieve a corrigible 
error) of the computer's user when manipulating/measuring parameters. 

As the notation suggests, P is a computational (commodity) resource (recall 



Sect. |1.1^2 ), on an equal footing with time T and space S: just as one may ask how 
much time will elapse during a computation, or how much space is required in order 
for a computation to succeed, one may equally ask (numerically) how much precision 
is required for computational success. By considering this precision resource as a 
function of input size as in 0, then, one obtains the precision complexity function 

P* (n) := sup { P (x) | \x\ = n } . 

Typically (though by no means necessarily), if input values x\ and X2 satisfy 
\xi\ < \x 2 \, then W+ q D £ (x r ) D £ (x 2 ) 5 0, whence < P (x ± ) < P (x 2 ) < oo; 
P* is, in these typical cases, a non-decreasing function of input size. (We leave 
"typical" undefined, since we give here only an intuitive idea of the 'direction' in 
which precision increases; cf. a Turing machine's typically, though not necessarily, 
requiring more time/space when processing larger input values.) 

We defer additional detail regarding precision and precision complexity to (for 
example) [4]. 

1.1.4. Analogue Factorization System. By way of demonstration that there do in- 
deed exist situations in which consideration not only of time and space, but also 
of precision, is necessary in order insightfully and correctly to analyse complexity, 
we now briefly outline a computing system (described in [4j [3] , to which we defer 
further detail) that requires analysis so augmented. The system is an analogue 
computer that factorizes natural numbers in polynomial time and space (cf. the ex- 
ponential run-time required by the best publicly known digital algorithms), but that 
has exponential precision complexity: the system cannot efficiently factorize large 
numbers, but the reason (namely, precision) for which it cannot is overlooked by 
standard, exclusively time-and-space complexity analyses; of such unconventional 
systems successful complexity analyses must heed correspondingly unconventional 
resources (e.g., precision). 

A geometric interpretation of factorization. The chief observation behind the deriva- 
tion of our system is that the problem of factorization — the search for proper divi- 
sors of a given natural number n — can be recast geometrically. One considers the 
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hyperbola y = n/x: any point (x,y) on the curve satisfies xy = n, and, in par- 
ticular, any integer point on the curve has integer coordinates x and y satisfying 
xy = n; such coordinates are factors of n. These integer points of interest (from 
the coordinates of which can be derived factors of n) are the points of intersection 
between the grid Z 2 of integer points and the curve y = n/x; however, since the 
curve is a conic section, the sought points can equally be expressed as the inter- 
section between Z 2 and a certain cone in R 3 j^] So as to construct our analogue 
factorization system, we physically implement (certain finite subsets of) these two 
structures — grid and cone — in such a way that their intersection can be identified 
and hence factors found. 

Implementing the integer grid. Of the grid Z 2 x {0} we need implement only a fi- 
nite part: the x- and ^-coordinates of the sought points of intersection between the 
grid and the cone are factors of n, whence the subset { (a, 6, 0) G Z 3 | 1 < a, b < n } 
suffices (for convenience, we consider instead { (a, 6, 0) G Z 3 | < a, 6 < n }); fur- 
thermore, due to the symmetry of both cone and grid about the plane y = x 
and to the commutativity of multiplication, identifying grid-cone-intersection point 
(a, 6,0) yields the same factorization of n (namely n = ab) as identifying (6, a,0), 
whence we need consider only { (a, 6, 0) G Z 3 | < a < b < n }; finally, we assume 
that the value n to be factorized is odcj^J whence all factors are odd, and so we need 
implement only points with both coordinates odd (for convenience, we implement 
the set 

G n := < (a, 6,0) G Z 3 ~ ~ ~ \ 

n \ v ' ' 7 A a - b is even J 

of points with x- and ^-coordinates of the same parity — see Fig. [T]). 



3 
1 



1 2 3 
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Figure 1 . The n +^ n + 3 points of grid G n (which lies in the plane 
z = 0). 



^Specifically, the cone consists of all lines that meet the central axis | [x,x, \/2nj \x G M | 
at the point ^0, 0, v / 2n) , and do so at an angle of 7r/4 of a radian. Formally, the grid Z 2 in this 

three-dimensional context is Z 2 x {0} = { (a, 6, 0) | a, b G Z }. 

"^Factorization of an even number may be achieved via repeated halvings (performed by Turing 
machine), of which the number is recorded, followed by factorization (performed by the analogue 
system described here) of the remaining, odd number. That the number of such halvings is 
necessarily merely logarithmic in n gives that, asymptotically, the complexity of the system does 
not depend upon whether we include the Turing-machine halvings. 
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We implement this grid G n by instantiating a certain interference pattern, of 
which the points of maximal wave activity model the elements of G n . The source 
that produces the pattern sits at S := (1,1,0), has wavelength A := 2/n, and 
is shielded so as to emit radiation only in the x < 1 < y quadrant (and, so 
far as is practicable, only in the z = plane); the radiation from this source 
is reflected by mirrors at Mi := { (x, -x 2 /2 + x + 1, 0) G M 3 | < x < 1 }, M 2 := 
{ (x, x, 0) G M 3 | < x < 1 } and M 3 := { (0, 0) G M 3 | < i/ < 1 } (see Fig.J^a)). 
The resultant interference pattern within the region < x < y < 1 (and z = 0) 
has maxima at precisely those points (x, 0) where and ny are integers of the 
same parity (see Fig. |2jb)); these maxima model the integer grid points of G n 
(where, explicitly, we interpret a point (a, 6, 0) of maximal wave activity as mod- 
elling (na, nb : 0) G G n ) — compare Figs. [I] and ^b). (Thus, we employ a scaling of 
factor 1/n when implementing the system: a point (x,y,z) in the mathematically 
abstract world of G n , the curve y = n/x (z = 0), etc. corresponds to the point 
(x/n,y/n, z/n) in the 'real world' inhabited by our apparatus — 5, Mi, etc.) 




Figure 2. (a) The source 5 and mirrors M;. (b) The points of 
maximal wave activity, within the region < x < y < 1 (shaded), 
in the interference pattern produced by S and Mi (in this example, 
n = 5). 

Implementing the cone. Having described the implementation of the grid G n of 
integer-coordinate points, we turn now to the implementation of the cone. The 
vertex of the cone we model using a second source P n of waves, positioned at 
^0, 0, ; this, together with a sensor C n occupying a certain circular ard 11 

uniquely specifies the cone, which is deemed to consist of those lines passing through 
both P n and a point on the circle containing C n . See Fig. [3) 

By construction, we have that the cone intersects the plane containing the grid 
of integer points (produced by S and Mi) along the desired conic section y = 
n/x (suitably transformed by the 'abstraction-to-implementation modelling map' 
(x^y^z) ^ (x/n,y/n,z/n) described above). 



Having implemented the two constituent parts of the analogue system — the grid of 
integer points and the cone — , we should like to be able to identify their intersection, 



The curve of C n is 



(x, 2 — x, z) E ~ 



2{x- l) 2 + [z- y/2/riy 



z < 



l+n \ 
X > 1 
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Figure 3. The apparatus implementing the cone: P n models the 
cone's vertex, whilst C n occupies a circular arc in the surface of the 
cone. The cone intersects the plane z = containing the integer- 
point grid (produced by S and Mj, which are shown in grey for 
context) along the conic section (pictured) that models the curve 
y = n/x. 



because, recall, the (x- and y-) coordinates of points belonging to both structures 
yield factors of n. Provided that the two sources S and P n produce waves of 



a 'suitable' nature (and such choices of wave do exist — see Sect. 1.1.4 Example 
implementation below), such identification is indeed possible: since the integer 
points in G n are modelled as points of maximal wave activity in the interference 
pattern produced by S and M^, it suffices that it is evident at sensor C n whether a 
ray passing from P n to C n (which necessarily passes through a point on the desired 
conic section y = n/x in the grid's plane) has passed through a point of maximal 
wave activity; from the coordinates of points on C n at which this maximal-activity 
property is evident, one may then calculate (efficiently, via Turing machine) factors 
of n. 

We now make these comments more concrete by describing an example imple- 
mentation of the system; crucially, this entails our specifying an instance of the 
"waves of a 'suitable' nature" alluded to above. 

Example implementation. Suppose that the interference pattern of S and M\ con- 
sists of water waves: the source S is a device that (sinusoidally, say) disturbs one 
point on the surface of a body of water (from which point ripples radiate), and 



COMPLEXITY-STYLE RESOURCES IN CRYPTOGRAPHY 



11 



the mirrors Mi are reflective barriers protruding from the water — see Fig. [4j This 
establishes our grid: the integer points of G n are modelled as points (within the tri- 
angular region of the water's surface between M2 and M3) of maximal wave activity, 
with calmer (i.e., shorter-amplitude) water at the non-integer points between. 




Figure 4. A water-wave (5, Mi) and visible-light (P n , C n ) im- 
plementation of the analogue factorization device of Sect. |1.1.4| 

Suppose further that the second source P n , suspended above the surface of the 
water, produces visible light, which shines down into the water and, notably, onto 
the submerged light sensor C n (which is suitably positioned so as to compensate for 
still-water refraction: in the absence of waves from 5, light from P n shining through 
the curve — let us call it Y n — modelling conic section y = n/x in the water's surface 
would arrive at C n , refraction notwithstanding); again, see Fig. [4j 

Crucially, a ray of light from P n passing through a point A on Y n on the wa- 
ter's surface (on which curve we wish to identify integer, i.e., maximal- water- wave- 
activity, points) arrives at the corresponding point B on C n with an intensity that 
betrays the amount of (water-) wave activity at A^^ if A is a point of calm water 
(which is the case at maximal distance from grid points), then light from P n arrives 
steadily at C n , resulting in maximal brightness when summed over a (water-) wave 
cycle; if, instead, A is an undulating point on the water's surface, then light will 
reach C n only intermittently, due to the periodically fluctuating refraction at A. 
If A is maximally undulating — if it is one of our sought points of maximal wave 



This is the essence of waves' being of a 'suitable' nature: waves produced by S must be of 
such a type that they affect those produced by P n , as they propagate to C7 n , in such a way that 
maximality or otherwise of those from S may be determined at C n - 
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activity — , then this is evident as a minimal amount of light (summed over a water- 
wave cycle) from P n reaching B. The user of the system, then, employs C n in order 
to retrieve the coordinates of a minimally lit point from which coordinates may 
be calculated the coordinates of the corresponding surface point A; we reiterate 
that, (a) since A is a point through which, in the absence of water-waves from 5, 
light from P n would pass to C n , it is on the curve Y n that models y = n/x, and 
that, (b) by minimality of light at B and by the comments of this paragraph, A is 
a point of maximal wave activity — therefore, A is a sought grid point on Y n , and 
its coordinates (which may be calculated from those of B) yield factors of n. 
Using the system. We summarize now the process whereby the analogue system (in 
its general form, not necessarily the water /light embodiment of Sect. 1.1.4 Example 
implementation) yields a factor of n. 

(1) First, given the value n G N to be factorized, the user computes two values — 
2/n and y/2/n. This computation may be performed via standard, Turing- 
machine-style computation. 

(2) Secondly, these values are supplied, most probably imprecisely, to the input 



parameters of the analogue device (recall the discussion in Sect. 1.1.3 of 
input/output parameters): the wavelength of S is set to 2/n, and the height 
(i.e., z-coordinate) both of P n and of the centre of the circle containing C n 
to y/2/n. 

(3) Having so set the input parameters, the analogue computation takes place 
via propagation of waves from S and P n ; notably, an interference pattern 
(of radiation from P n of varying intensity) is formed along sensor C n . 

(4) From readings of sensor C n , the user determines (again, most probably 
imprecisely) the x-coordinate (c, say) of a minimally lit point on this sensor. 

(5) Finally, from this coordinate c, the user computes (again via Turing machine 

or similar) the value which is, we claim (with informal justification 

implicit above and formal deferred to [4 ), a factor of n. 

Time and space complexity. We claim (and defer to [4[ justification beyond that 
offered by the comments here) that the analogue system — consisting of steps [2] to [4] 
in Sect. |1. 1.4| Using the system — requires space and time merely constant in the size 
of the value n being factorized: space because the analogue apparatus is, for all n, 
contained within the constant-size, n-independent cuboid [0, 2] x [0, 2] x [— V% 2y/2\ ; 
time because the user need wait only for waves (the propagation velocity of which 
we suppose to be independent of wavelength) to propagate over a constant, n- 
independent distance within this cuboid. 

To this constant time/space overhead, we add the polynomial (specifically, qua- 
dratic) cost incurred during the Turing- machine calculations of steps [l] and [5] (Input 
values 2/n and \j2jn need be calculated only with sufficient precision to allow re- 
trieval of n given that n G N; output value need be found only to the nearest 
integer] this results in the quadratic complexity claimed — see [4 for further detail.) 



As a whole, then, the factorization system of Sect. 1.1.4 has polynomial time 
and space complexity; this represents a marked improvement over the exponential 
time complexity of the most efficient publicly known digital- computer factorization 
methods. The catch, as one may imagine given the discussion of Sect. |1.1.3[ is the 
precision complexity of the system, which, we see below, is exponential. 
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Precision complexity. We consider the input parameter A, the wavelength of source 
ffp^] The user's intention, recall, it to set A to the value 2/n, where n G N is the 
number to be factorized. Let us suppose 

• that the input to A of value 2/n suffers an additive error characterized by 
error term e > 0: the value actually supplied to A is an arbitrary element 
of [2/n-e,2/n + e]; but 

• that the system performs error correction based upon the fact that 2/ A is 
expected to be a natural number: given wavelength A = 2/v for arbitrary 
v G 1R + , the system acts as though the number to be factorized is the 
nearest integer \y + 1/2 J to za 

The purpose of the resource of precision is to quantify the fidelity with which A 
must be set (and the other parameters set/measured) in order that the computation 
be performed correctly — to quantify, that is, how small e (and the other parameters' 
analogous error terms) must be in order that the received, error-corrected input 
value \y + 1/2J to be factorized coincide with n (and, when considering also output 
parameters, that the measured and interpreted output value coincide with a factor 
of n). 

e is sufficiently small in this sense if and only if the supplied wavelength 2/v G 



[2/n — e, 2/n + e] necessarily falls in the interval 
tl 

( 



of values that 



+1/2 ' n-1/2 

the system corrects to 2/n, which is the case if and only if [2/n — e, 2/n + e] C 
which, in turn, is the case if and only if e < n ( n +]y 2 ) • Thus, the 

0, n ( n ^x/ 2 ) ) ' wnence A contributes 



n+l/2 ' n-1/2 

set of corrigible errors e in input parameter A is 

to the system's overall precision complexity a multiplicative factor of n (n + 1/2), 
which increases quadratically with n and therefore exponentially with the size of 
n. Thus, regardless of the contributions from other input/output parameters, the 
system's precision complexity is exponential. 

We state again that the system does not offer efficient means of factorizing large 
numbers, though not because of its time or space complexity, but rather because 
of its precision complexity, which is seen in the above discussion quantitatively to 
impose an exponential cost. We describe now a framework in which may be made 
complexity analyses suitable for such situations (analyses, that is, that heed not 
only time and space but also precision and more). 

1.1.5. Computational- Model- Independent Framework of Complexity Theory. In [4], 
we develop a framework in which one may insightfully analyse and meaningfully 
compare the complexity of instances of many different computational paradigms, 
with respect to many different resources. We recap now the salient aspects of the 
framework. 

Resource generality. The crucial observation from Sect. |1.1.4| is that, in the specific 
case of the analogue factorization system, an insightful complexity analysis must 
heed not only the standard resources of time and space but also the non-standard 
resource of precision (for else one overlooks the true, exponential complexity of the 
system). More generally, the observation is that, when analysing the complexity of 



■^One may treat other input/output parameters analogously. However, we show below that 
parameter A's contribution to the system's precision complexity is exponential, whence the overall 
precision complexity is itself exponential, regardless of the contributions of other parameters; 
accordingly, such parameters are not explicitly considered. 
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unconventional (analogue, chemical, optical, quantum, . . . ) computers, the analysis 
must be with respect to accordingly unconventional resources (precision, energy, 
etc., in addition to time and space). 

Accordingly, the first step in the implementation of our complexity framework is 
a generalization of resource, such that one considers not merely time and space, nor 
yet merely time, space and precision, but rather arbitrary resources (in fact, this 
broad conception of resource is to be refined — see Sect. Normalization below; 
arbitrary resource offers a suitable starting point, however). 

Overall complexity. Having introduced many different (in fact, arbitrary) resources, 
it is no longer clear how to define the overall complexity of a computation^] When 
one considers Turing machines and similar, the task is unproblematic: such sys- 
tems consume only the resources of time and space, and, for any computation, the 
consumption of the former is an upper bound for that of the latter (since writ- 
ing to memory takes time — more precisely, each time-step sees the computer write 
to at most one tape cell), whence time complexity offers an adequate measure of 
overall complexity (thus, the (overall) more efficient Turing machine is precisely 
the asymptotically faster). However, when considering systems conforming to more 
exotic (analogue, chemical, quantum, . . . ) computational paradigms, it is certainly 
not clear which (if any) of the many complexity functions, corresponding to the 
many resources consumed, successfully captures overall complexity. 

Intuitively, the task is to ascertain which of these many resources are 'relevant' 
to a computation — which, asymptotically, are consumed in sufficiently significant 
quantity that they should contribute to any reasonable measure of overall complex- 
ity. We capture this criterion of relevance by defining dominance: a resource is 
deemed dominant for a computation if its complexity function is maximal in the 
preorder <, where, for complexity functions / and g, '/ < g' is defined to mean 
'/ G O (#)' (we reiterate that further detail is given in [4]). 

A measure of overall complexity of a computation may then be defined to be the 
sum of the complexity functions corresponding to those resources that are dominant 
for the computation (this definition is consistent with the observation above that, 
for a Turing machine — for which time is necessarily dominant — , time complexity 
and overall complexity are one and the same). 

Normalization. As is clear from Sect. |1.1.5| Overall complexity, for dominance use- 
fully to serve its intended purpose it must determine definitively which of a col- 
lection of resources are 'relevant' to a computation and so which contribute to the 
overall complexity. However, without constraining what is acceptable as a valid re- 
source (recall that, in Sect. 1.1.5 Resource generality above, no restriction is made), 
dominance unfortunately does not have this property; we illustrate this now. 

Recall from Sect. |1.1.2| the two standard resources consumed by a Turing ma- 
chine: S is the number of distinct tape cells to which are written during a com- 
putation, T the number of time-steps that elapse. Since, for any input value x, 
T (x) > S (x), we have that time is dominant: time is deemed to be no less relevant 



A measure of overall complexity, furthermore, is highly desirable, both practically — by com- 
paring with respect to the (9-preorder of complexity functions the respective overall complexity 
of two systems, one ascertains which is the more efficient and, therefore, preferable to use — and 
theoretically — the ability to measure and compare systems' overall complexity allows identification 
of the most efficient (known) system for a particular computational task, and, therefore, of the 
tightest (available) upper bound on the complexity of the task itself. 
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to the computation than space; this is exactly what one expects and hopes of dom- 
inance. However, one may measure space not with S but with, say, S' , given by 
S' (x) := 2 s — we merely relabel quantities of space: rather than counting them 
as 0, 1, 2, 3, ... , we (unusually but validly) use 1, 2, 4, 8, . . . It is then per- 
fectly possible, our having artificially exaggerated the relevance of space by using 
S' rather than S, that S' (not T) becomes dominant. Whereas we should like that 
dominance determines definitively which of time and space is the more relevant, in 
fact we may engineer which is deemed more relevant simply by altering the way in 
which quantities are measured or labelled. 

So as to remove this undesirable ability to engineer, we stipulate that any re- 
sources considered must be normal. A normal resource, roughly, is one that can 
attain any natural- number value. For example, S is normal since, for any natu- 
ral number a, there exist a Turing machine M and an input value x such that 
Sm (x) = a; S' is not normal since, when a is not a power of two, for no pair (M, x) 
do we have that S' M (x) = a. Normalization is a process whereby an arbitrary, 
unrestricted resource is converted into an order-isomorphic and, crucially, normal 
resource; e.g., as one may imagine, S f normalizes to S. 

Once we stipulate that resources be normal, then, one may no longer engineer 
as above which of time and space is more relevant, for he is no longer free to 
consider the (abnormal) resource S'; one must instead quantify space using S, and 
is consequently led by dominance to the irrevocable conclusion that time is more 
relevant than space {^j 

See [4, 2 for more detail concerning normalization. 
Summary. A much fuller account is given in [4], but we outline above the main 
features — resource generality, dominance and the corresponding notion of overall 
complexity, and normalization — of our model-independent framework of computa- 
tional complexity theory. The framework allows analysis and comparison of the 
complexity of computers conforming to many paradigms and consuming many re- 
sources. 

1.2. Motivation. We note from the preceding discussion that there exist many 
(commodity) resources: the traditional time and space, as well as the non-standard 
precision (which we define above by way of illustration), energy, mass, thermo- 
dynamic cost, material cost, and many more besides; see [5j [4] for further detail. 
We recall from that, from these many resources, one derives in a uniform way 
the corresponding complexity functions; if one observes that his non-standard com- 
puter consumes some new, non-standard resource, then he acquires also a new 
complexity function. To these many complexity functions one may apply various 
complexity-theoretic techniques and tools in order to analyse and compare comput- 
ers' efficiency and computational tasks' difficulty; Sects. [TTTT4] Precision complexity 



and 1.1.5 above give a feel for such application, whilst [4 furnishes additional detail 
on this topic. 

It is desirable, we suggest, to employ these complexity-theoretic techniques and 
tools in the analysis not only of computational processes (as described above), but 
also of cryptographic protocols and similar; this suggestion motivates Sect. [2] of the 
present paper. More explicitly, if one were able to abstract from a cryptographic 
protocol entities that behave (in some appropriate sense) as resources, then there 



15 We stress that this conclusion holds in the Turing-machine example presented above, though 
not necessarily more generally for other computational paradigms. 
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would result via ([I]) entities that behave as complexity functions, to which could be 
applied the existing and understood arsenal of complexity-theoretic techniques so 
as to analyse the protocol. 

The chief intuition here is that we wish to enable the formulation as a resource 
of the security (whatever that may mean) of a cryptographic protocol. This having 
been done, would then define the protocol's security complexity, about which 
one may reason via complexity-theoretic means with a view to proving/disproving^] 
that the protocol is secure. 

Hence, we advocate here (though defer implementation and investigation largely 
to future work) a resource- centric framework in which many aspects of crypto- 
graphic protocols may be captured as resources so as to allow security analysis of 
the protocols via previously inapplicable, complexity-theoretic techniques. Such a 
framework addresses the author's personal interpretation of and thoughts on this 
special issue's topic, 'information security as a resource'. 



2. Cryptographic Resources 

So as to illustrate the abstraction of resource-like entities from cryptographic 
protocols, we consider the example of pubic-key cryptography. The intent here is for 
sender Alice to transmit a message to recipient Bob (the two are spatially distant), 
without eavesdropper Eve's being able to obtain this message (Eve, we assume, 
intercepts all communications between Alice and Bob and does so undetected); 
that we consider specifically public-key cryptography implies that Alice and Bob 
do not, prior to the protocol's commencing, agree upon any shared information (a 
key, for example) of which Eve is unaware. 

The scheme's outline is as follows. 

• Bob generates two keys: one private (that Bob does not at any point trans- 
mit) and one public. 

• Bob sends the public key to Alice (and also, we must assume, to Eve). 

• Alice encrypts the message, with the encryption process taking as a param- 
eter Bob's public key. 

• Alice sends the encrypted message to Bob (and to Eve). 

• Bob decrypts the message, with the decryption process taking as a param- 
eter his private key; this yields Alice's original message. 

During the protocol, then, Eve gains access to Bob's public key and the encrypted 
message. Hence, for the protocol to function as desired, it must be the case not 
only (a) that the relationship between Bob's public and private keys is such that 
his decryption process does indeed (efficiently) yield the original message, but also 
(b) that any 'cheat' computation (that Eve might perform) that takes as input 
the public key and the encrypted message, and that returns the original message, 
is computationally infeasible; i.e., (a) Bob can successfully and efficiently retrieve 
Alice's communication, whereas (b) Eve cannot. 



Implicit in this talk of proof /disproof are the twin motivations of information assurance and 
signals intelligence. The latter requires that we define the notions of the present work in such a 
way that one is able not only to identify the presence of insecurity in others' systems, but also to 
determine and exploit the root causes of such insecurity. 
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If for example the specific implementation of public-key cryptography under con- 
sideration is RSA [10|^| then such a 'cheat' computation whereby Eve can retrieve 
the original message is natural-number factorization: finding the factors of the pub- 
lic key reveals the private key, given which Eve could decrypt using the same process 
as Bob. Fortunately for Alice and Bob, although the difficulty of factorization has 
not been rigorously established (the equivalent decision problem is believed not to 
be NP-hard, moreover), neither is there publicly known an efficient and practica- 
ble means of factorization (attempts spanning many mathematician- millennia and 
utilizing both standard and non-standard computation notwithstanding). 

This suggests that, at least for as long as factorization remains difficult in prac- 
tice, RSA offers a secure public-key scheme. Implicit in this suggestion, however, is 
the assumption that a complexity-theoretic consideration (of the difficulty or oth- 
erwise of Alice's, Bob's and Eve's respective processes) captures all aspects of the 
protocol relevant to an analysis of its security — that potential insecurities of the 
protocol are necessarily computational in this sense; this overlooks the possibility 
that, the apparent difficulty of factorization notwithstanding, Eve may be able to 
exploit for example side-channel information such as the time taken for Alice to 
encrypt the message or the amount of memory used by Bob in generating the pub- 
lic and private keys; if such information were to betray to Eve knowledge of the 
message itself or of Bob's private key, then there may exist within the protocol 
insecurities not predicated upon efficient means of factorization f^| 

Accordingly, we advocate in the present paper an approach to the analysis of 
cryptographic systems that heeds not only the computational aspects of the proto- 
cols so analysed, but also the non-computational: those relating to communication, 
information, cryptographic primitives, and so on. More precisely, we advocate the 
formulation of these aspects (both computational and non-) as resources, which can 
then be analysed using the existing tools of complexity theory. We discuss in more 
detail now each of these categories of aspects/resources. 



2.1. Computation. The capture as resources of computational aspects of a pro- 
tocol or scheme requires no new machinery: one can apply the existing techniques 
of standard complexity theory ([9]) and its model-independent generalization (|4] 
and Sect. 1.1.5) to any computations that take place during either the protocol 
or potential attacks thereof. In the case of public-key cryptography, for example, 
these computations include Bob's key generation, Alice's encryption, Bob's decryp- 
tion (all of which one hopes are easy) and any computation (which one wants to be 
difficult) whereby Eve may obtain the message. 

By so analysing these computations, one quantifies computational resources such 
as time and space, and, if the protocol involves unconventional computers, possibly 
also precision, energy, etc. 



Perhaps a fairer name for the cryptosystem than 'RSA' would be 'C, for, whereas Rivest, 
Shamir and Adleman publicly introduced the system in 1978, an equivalent form had in fact been 
discovered (unannounced) in 1973 by Clifford Cocks. 

■^Note that we mean not to suggest that such side-channels can necessarily be exploited in the 
specific case of RSA. Rather, we mention RSA as an illustrative public-key system with which the 
reader is likely to be familiar, and (separately) introduce side-channels as an aspect that we wish 
to include in our analyses of arbitrary cryptographic protocols. 
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2.2. Communication. We wish also to formulate as resources the communication 
aspects of protocols. In public-key cryptography, for example, there is communi- 
cation (of public keys and encrypted messages) between Alice and Bob, and also, 
unintentionally, between them and Eve. We should, therefore, like to accommodate 
in our analyses of protocols such communication-theoretic resources as channel ca- 
pacity. 

2.3. Information. A further category of resource that we wish to capture concerns 
the information-related aspects of protocols. Again considering the example of a 
public-key cryptographic system, there are present various items of information: 
the message (both plain and encrypted), the public and private keys, and, crucially 
though less obviously, side- channel information. 

It may for example be the case that, if Eve were able to monitor the time taken 
by Alice in encrypting the message, then that duration would betray to Eve some 
significant information about the message itself; alternatively, it may be that, if Eve 
were able somehow to measure the memory usage of Bob's key-generation routine, 
then that knowledge would betray to Eve something of the nature of Bob's private 
key (whence extracting the key itself may become tractable) 

Although these potential betrayals of information are not explicit in the descrip- 
tion of the protocol (they are not explicitly represented by communication channels 
or similar), they nonetheless constitute an implicit flow of information for which we 
should like to account when assessing (via the resource-centric approach advocated 
here) the security of the protocol. 

2.4. Cryptographic Primitives. We comment now on the generality and appli- 
cability of the resource-centric framework described in the present paper. 

Note that we allude above to concepts such as ease/difficulty for Alice, Bob and 
Eve; this of course assumes that these three named roles exist within the protocol 
(and attacks thereof) under consideration. Whereas these roles do indeed exist 
in standard cryptographic (e.g., public-key) protocols, they may not be present 
in other protocols (such as coin-tossing schemes) that nonetheless feature similar 
issues of information sharing, mutual distrust, the availability of zero-knowledge 
proofs, etc., and that we should nonetheless like to accommodate (alongside the 
traditional Alice-Bob-Eve cryptosystems) in our resource-centric framework. 

Accordingly, so as to accommodate schemes and protocols that do not feature 
Alice, Bob and Eve (or, more generally, that do not feature 'goodies' and 'baddies'), 
it is desirable to conduct analyses focussing not on named agents, but rather on the 
abilities and inabilities of (anonymous) agents (whence, if we are in fact analysing 
an Alice-Bob-Eve set-up, we may derive which agent is which). 

Consequently, we wish to consider (in the context of our resource-centric ap- 
proach) the cryptographic primitives (such as one-way functions, trapdoor func- 
tions and pseudorandom number generators) that may or may not be available to 



We note that the difficulty in exploiting a side-channel is typically in identifying that the 
channel exists, rather than in using it once it has been discovered. Consequently, in order suc- 
cessfully to accommodate side-channels and related phenomena within our framework, we must 
consider not only the 'commodity' resources (run-time, memory space, etc.) consumed during 
Eve's use of a side-channel, but also the 'manufacturing' costs that Eve incurs initially whilst dis- 
covering/contriving the channel. See 5 for discussion of commodity and manufacturing resources. 
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(anonymous) agents, and, furthermore, to place these primitives on an equal foot- 
ing with other (computation-, communication- and information-related) resources, 
such that trades-off between primitives and other resources can be considered P*| 

2.5. Summary. The purpose of the resource-centric framework advocated in the 
present paper is to allow insightful analysis of protocols (cryptographic systems, 
coin-tossing schemes, etc.) with respect to many aspects: computation, commu- 
nication, information (including, for example, side-channel information and the 
existence of subliminal channels), availability to the respective agents of primitives, 
etc. 

Intuitively, the more such aspects that are considered, the greater the likelihood 
of identifying any insecurities present in the protocol (or else the greater the sig- 
nificance of lack of such identification). If, for example, one were to consider only 
the computational aspects of RSA, then he might convince himself that the sys- 
tem is secure for as long as factorization is difficult; however, this may overlook 
insecurities (e.g., side-channels) relating to features of RSA that are not inherently 
computational. 

Accordingly, we wish to accommodate in our framework resources belonging to 



the various categories described in Sects. 2.1 - 2.4 computation, communication, 



information and primitives. Ultimately, the aim is to define (in terms of its rela- 
tionship with these resources) the resource of security, about which we may then 
reason complexity-theoreticalryp] 

2.6. Security. We consider now the form that the resource of security may take. 
Prima facie, a reasonable first attempt at a definition would render security a one- 
dimensional quantity (a real number, say) — that depends upon key-size or similar 
(we once again have in mind public-key cryptography as our paradigmatic and il- 
lustrative protocol) — that is large when Bob can easily obtain Alice's message but 
Eve cannot, and small otherwise. However, as is implicit in the phrases "can eas- 
ily" /"cannot [easily]", this approach captures essentially nothing more than the 
standard computational-complexity view of the protocol: this measure of secu- 
rity reflects merely the complexity of Eve's 'cheat' computation (e.g., public-key 
factorization in the case of RSA), whereas, recall, we should like also to capture 
many non-computational aspects (the presence of side-channels, etc.). It seems, 
then, that security should be a multi- dimensional quantity that reflects not only 
the protocol's constituent computations but also its communication, information, 
primitives, etc. 

Note that the execution of each of the sub-processes making up a protocol can 
incur costs in terms of resources belonging to these various categories: computa- 
tion, communication, information, primitives, . . . For example, Alice's encryption 
routine incurs a (hopefully small) computational cost, but no communication cost 
since encryption takes place locally on Alice's computer; on the other hand, the 



2( ^Note that an excellent starting point for our introducing primitives into our resource-centric 
framework is the approach of Ran Canetti; see, for example, OH]- 

21 Furthermore, having considered within the framework these diverse categories of resource — 
computation, communication, etc. — , it may be possible to establish the security of a protocol 
relative to assumptions that are not necessarily complexity-theoretic ('factorization is difficult' or 
similar) or physical ('Eve's intercepting a quantum channel is detectable by Alice and Bob' or 
similar), say, but that are taken from a more general class of assumptions concerning the many 
different categories of resource that we consider. 
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transmission from Alice to Bob of the encrypted message incurs a communication 
cost (requiring a channel of a certain capacity for a certain amount of time), but 
no computational cost since, by definition of the sub-process under consideration, 
the message is encrypted and ready for transmission. Incurred by each of these 
sub-processes, then, is a cost in only one category (computation for the former, 
communication for the latter). 

If this property of incurring cost in but a single category were to hold for all 
sub-processes and for all features of a protocol that one may consider, then there 
would be no apparent interaction between the respective categories, suggesting that 
one may consider each in isolation: analysis of the security of a protocol would then 
decompose into a series of separate searches for insecurities relating respectively to 
computation, communication, information and so on; the protocol would be deemed 
secure if and only if it were to pass the computation security test, and (separately) 
the communication security test, and (separately) the information security test, etc. 
Note that each such test is already extensively studied and has its own associated 
literature (of which some is cited in the present paper); such decomposition would 
result in our framework offering nothing new. 

However, if there exist features or sub-processes (we suggest, furthermore, that 
such do indeed exist) that fall into strictly more than one category of resource, if 
there arise trades-off between resources and/or primitives from different categories — 
if, in short, the different categories interact — , then one is no longer free to view 
security analyses within the framework as series of non-interacting tests, having 
rather to consider the framework as a coherent whole: the successful analysis 
of a protocol's security requires simultaneous consideration of the various facets 
represented by the different categories of resource/primitive. We suggest more- 
over that the resource of security does indeed straddle several categories, having 
non-trivial relationships with and dependencies on many different resources and 
primitives; hence, our analysis of protocols cannot, without sacrificing useful — even 
crucial — information, be decomposed, but must be performed within a coherent, 
all-encompassing framework. It is the implementation, study and use of precisely 
this framework that we advocate here. 
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